GoogleCloudPlatform · ludoo · Dec 16, 2024 · Dec 16, 2024 · Dec 16, 2024
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -44,7 +44,7 @@ jobs:
       - uses: terraform-linters/setup-tflint@v4
         name: Setup TFLint
         with:
-          tflint_version: v0.50.3
+          tflint_version: v0.54.0
 
       - name: Init TFLint
         run: |

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
@@ -678,7 +678,7 @@ The remaining configuration is manual, as it regards the repositories themselves
 | [org_policies_config](variables.tf#L271) | Organization policies customization. | <code title="object&#40;&#123;&#10;  iac_policy_member_domains &#61; optional&#40;list&#40;string&#41;&#41;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_essential_contact_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    allowed_policy_member_domains     &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [outputs_location](variables.tf#L299) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
 | [project_parent_ids](variables.tf#L314) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [resource_names](variables.tf#L325) | Resource names overrides for specific resources. Check the code to determine which overrides are supported. | <code title="object&#40;&#123;&#10;  bq-billing           &#61; optional&#40;string, &#34;billing_export&#34;&#41;&#10;  bq-logs              &#61; optional&#40;string, &#34;logs&#34;&#41;&#10;  gcs-bootstrap        &#61; optional&#40;string, &#34;prod-iac-core-bootstrap-0&#34;&#41;&#10;  gcs-logs             &#61; optional&#40;string, &#34;prod-logs&#34;&#41;&#10;  gcs-outputs          &#61; optional&#40;string, &#34;prod-iac-core-outputs-0&#34;&#41;&#10;  gcs-resman           &#61; optional&#40;string, &#34;prod-iac-core-resman-0&#34;&#41;&#10;  gcs-vpcsc            &#61; optional&#40;string, &#34;prod-iac-core-vpcsc-0&#34;&#41;&#10;  project-automation   &#61; optional&#40;string, &#34;prod-iac-core-0&#34;&#41;&#10;  project-billing      &#61; optional&#40;string, &#34;prod-billing-exp-0&#34;&#41;&#10;  project-logs         &#61; optional&#40;string, &#34;prod-audit-logs-0&#34;&#41;&#10;  pubsub-logs_template &#61; optional&#40;string, &#34;&#36;&#36;&#123;key&#125;&#34;&#41;&#10;  sa-bootstrap         &#61; optional&#40;string, &#34;prod-bootstrap-0&#34;&#41;&#10;  sa-bootstrap_ro      &#61; optional&#40;string, &#34;prod-bootstrap-0r&#34;&#41;&#10;  sa-cicd_template     &#61; optional&#40;string, &#34;prod-&#36;&#36;&#123;key&#125;-1&#34;&#41;&#10;  sa-cicd_template_ro  &#61; optional&#40;string, &#34;prod-&#36;&#36;&#123;key&#125;-1r&#34;&#41;&#10;  sa-resman            &#61; optional&#40;string, &#34;prod-resman-0&#34;&#41;&#10;  sa-resman_ro         &#61; optional&#40;string, &#34;prod-resman-0r&#34;&#41;&#10;  sa-vpcsc             &#61; optional&#40;string, &#34;prod-vpcsc-0&#34;&#41;&#10;  sa-vpcsc_ro          &#61; optional&#40;string, &#34;prod-vpcsc-0r&#34;&#41;&#10;  wf-bootstrap          &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap&#34;&#41;&#10;  wf-provider_template  &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap-&#36;&#36;&#123;key&#125;&#34;&#41;&#10;  wif-bootstrap         &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap&#34;&#41;&#10;  wif-provider_template &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap-&#36;&#36;&#123;key&#125;&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [resource_names](variables.tf#L325) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | <code title="object&#40;&#123;&#10;  bq-billing           &#61; optional&#40;string, &#34;billing_export&#34;&#41;&#10;  bq-logs              &#61; optional&#40;string, &#34;logs&#34;&#41;&#10;  gcs-bootstrap        &#61; optional&#40;string, &#34;prod-iac-core-bootstrap-0&#34;&#41;&#10;  gcs-logs             &#61; optional&#40;string, &#34;prod-logs&#34;&#41;&#10;  gcs-outputs          &#61; optional&#40;string, &#34;prod-iac-core-outputs-0&#34;&#41;&#10;  gcs-resman           &#61; optional&#40;string, &#34;prod-iac-core-resman-0&#34;&#41;&#10;  gcs-vpcsc            &#61; optional&#40;string, &#34;prod-iac-core-vpcsc-0&#34;&#41;&#10;  project-automation   &#61; optional&#40;string, &#34;prod-iac-core-0&#34;&#41;&#10;  project-billing      &#61; optional&#40;string, &#34;prod-billing-exp-0&#34;&#41;&#10;  project-logs         &#61; optional&#40;string, &#34;prod-audit-logs-0&#34;&#41;&#10;  pubsub-logs_template &#61; optional&#40;string, &#34;&#36;&#36;&#123;key&#125;&#34;&#41;&#10;  sa-bootstrap         &#61; optional&#40;string, &#34;prod-bootstrap-0&#34;&#41;&#10;  sa-bootstrap_ro      &#61; optional&#40;string, &#34;prod-bootstrap-0r&#34;&#41;&#10;  sa-cicd_template     &#61; optional&#40;string, &#34;prod-&#36;&#36;&#123;key&#125;-1&#34;&#41;&#10;  sa-cicd_template_ro  &#61; optional&#40;string, &#34;prod-&#36;&#36;&#123;key&#125;-1r&#34;&#41;&#10;  sa-resman            &#61; optional&#40;string, &#34;prod-resman-0&#34;&#41;&#10;  sa-resman_ro         &#61; optional&#40;string, &#34;prod-resman-0r&#34;&#41;&#10;  sa-vpcsc             &#61; optional&#40;string, &#34;prod-vpcsc-0&#34;&#41;&#10;  sa-vpcsc_ro          &#61; optional&#40;string, &#34;prod-vpcsc-0r&#34;&#41;&#10;  wf-bootstrap          &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap&#34;&#41;&#10;  wf-provider_template  &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap-&#36;&#36;&#123;key&#125;&#34;&#41;&#10;  wif-bootstrap         &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap&#34;&#41;&#10;  wif-provider_template &#61; optional&#40;string, &#34;&#36;&#36;&#123;prefix&#125;-bootstrap-&#36;&#36;&#123;key&#125;&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [workforce_identity_providers](variables.tf#L357) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [workload_identity_providers](variables.tf#L373) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 

diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
@@ -323,7 +323,7 @@ variable "project_parent_ids" {
 }
 
 variable "resource_names" {
-  description = "Resource names overrides for specific resources. Check the code to determine which overrides are supported."
+  description = "Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type."
   type = object({
     bq-billing           = optional(string, "billing_export")
     bq-logs              = optional(string, "logs")

diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
@@ -278,9 +278,10 @@ terraform apply
 | [groups](variables-fast.tf#L88) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [locations](variables-fast.tf#L103) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [outputs_location](variables.tf#L31) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
+| [resource_names](variables.tf#L37) | Resource names overrides for specific resources. Stage names are interpolated via `$${name}`. Prefix is always set via code, except where noted in the variable type. | <code title="object&#40;&#123;&#10;  gcs-net      &#61; optional&#40;string, &#34;prod-resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  gcs-nsec     &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  gcs-pf       &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  gcs-sec      &#61; optional&#40;string, &#34;prod-resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  gcs-stage3   &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  sa-cicd_ro   &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-1r&#34;&#41;&#10;  sa-cicd_rw   &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-1&#34;&#41;&#10;  sa-net_ro    &#61; optional&#40;string, &#34;prod-resman-&#36;&#36;&#123;name&#125;-0r&#34;&#41;&#10;  sa-net_rw    &#61; optional&#40;string, &#34;prod-resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  sa-pf_ro     &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0r&#34;&#41;&#10;  sa-pf_rw     &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  sa-nsec_ro   &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0r&#34;&#41;&#10;  sa-nsec_rw   &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  sa-sec_ro    &#61; optional&#40;string, &#34;prod-resman-&#36;&#36;&#123;name&#125;-0r&#34;&#41;&#10;  sa-sec_rw    &#61; optional&#40;string, &#34;prod-resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;  sa-stage3_ro &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0r&#34;&#41;&#10;  sa-stage3_rw &#61; optional&#40;string, &#34;resman-&#36;&#36;&#123;name&#125;-0&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [root_node](variables-fast.tf#L153) | Root node for the hierarchy, if running in tenant mode. | <code>string</code> |  | <code>null</code> | <code>0-bootstrap</code> |
-| [tag_names](variables.tf#L37) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [tags](variables.tf#L51) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [tag_names](variables.tf#L62) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [tags](variables.tf#L76) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | <code title="map&#40;object&#40;&#123;&#10;  name      &#61; string&#10;  parent_id &#61; optional&#40;string&#41;&#10;  automation &#61; optional&#40;object&#40;&#123;&#10;    environment_name            &#61; optional&#40;string, &#34;prod&#34;&#41;&#10;    sa_impersonation_principals &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    short_name                  &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  contacts &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  factories_config &#61; optional&#40;object&#40;&#123;&#10;    org_policies &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  firewall_policy &#61; optional&#40;object&#40;&#123;&#10;    name   &#61; string&#10;    policy &#61; string&#10;  &#125;&#41;&#41;&#10;  is_fast_context     &#61; optional&#40;bool, true&#41;&#10;  logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10;  logging_exclusions  &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  logging_settings &#61; optional&#40;object&#40;&#123;&#10;    disable_default_sink &#61; optional&#40;bool&#41;&#10;    storage_location     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;    description          &#61; optional&#40;string&#41;&#10;    destination          &#61; string&#10;    disabled             &#61; optional&#40;bool, false&#41;&#10;    exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    filter               &#61; optional&#40;string&#41;&#10;    iam                  &#61; optional&#40;bool, true&#41;&#10;    include_children     &#61; optional&#40;bool, true&#41;&#10;    type                 &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_by_principals &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;    inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;    reset               &#61; optional&#40;bool&#41;&#10;    rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;      allow &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      deny &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        description &#61; optional&#40;string&#41;&#10;        expression  &#61; optional&#40;string&#41;&#10;        location    &#61; optional&#40;string&#41;&#10;        title       &#61; optional&#40;string&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs